The fetches in the FedCM API are hard to reason about because of the properties required of them. After lengthy discussions, it was decided that the ID assertion endpoint should use CORS. This aligns security properties of this fetch more closely to other fetches in the web platform.
The ID assertion endpoint can only be reached after the user goes through the FedCM flow successfully, authorizing the usage of their account for federated login in a website. However, the contents of the endpoint are still shared with the RP, so the CORS protocol should be followed. The IDP can determine whether a fetch comes from FedCM or not via a forbidden header, but we'd still like explicit confirmation from the IDP that it is OK to share the response with the RP.
Explainers: https://github.com/fedidcg/FedCM/issues/428#issuecomment-1729629625